After President Donald Trump ordered the bombing of Iranian nuclear sites June 21, several alerts warned of heightened threats of counterattacks against American digital networks, water systems, power plants and other critical infrastructure.
Such attacks and espionage efforts, carried out in cyberspace by Iranian-aligned hacktivists or government officials, are nothing new, especially in Maryland, where a glut of government agencies, defense contractors and an oversized digital footprint make the state a top target.
“The Washington area in general, and Maryland specifically, are definitely in the crosshairs of spying agencies,” said Charles Harry, a former National Security Agency senior intelligence officer. “I would fully expect MOIS [Iran’s intelligence agency] to be actively working [espionage] campaigns against both U.S. government networks as well as contractors. I would bet an awful lot of money that that is happening right now.”
Other security professionals said Iran, reeling from the bombing and agreeing to a ceasefire in its war with Israel, may be gathering intelligence but not currently plotting a cyberattack.
Iran and those aligned with it have increased their cyber abilities in recent years, as Baltimore has witnessed.
In May, an Iranian national pleaded guilty in federal court to participating in an international ransomware and extortion plot that struck multiple cities and corporations, including Baltimore’s city government. The man, Sina Gholinejad, 37, faces a maximum penalty of 30 years in prison and is scheduled to be sentenced in August.
The 2019 cyberattack knocked out city employee email accounts, credit card payment systems, and other government functions and ultimately cost the city more than $19 million.
Iran’s cyber force, initially formed to control information within the theocracy, has grown into one of the top 10 most comprehensive cyber powers, a tier below Russia, China and North Korea in threat level to the U.S., according to a 2022 report by Harvard Kennedy School’s Belfer Center for Science and International Affairs.
Attacks against the U.S. and Israel have been launched through government channels, proxies and government-backed hacktivists, with Iran heavily investing in cybersecurity and expertise since the 2000s. Targets include government agencies, critical infrastructure and private industries.
Iran views the investment as “a strategic advantage. It’s part of their national security strategy, and it has been for years,” used against the U.S. and Israel as well as adversaries in the Middle East, said Anton “Tony” Dahbura, executive director of Johns Hopkins University’s Information Security Institute and co-director of the Johns Hopkins Institute for Assured Autonomy.
“This nation-state in the Middle East also happens to be one of the top cybersecurity attackers in the world,” and that’s less well known, Dahbura said.
For now, some security analysts believe the Iranian government is unlikely to launch a large-scale military attack on U.S. infrastructure—but they do expect something to take place.
“They need to save face, but don’t want to do anything that will get Trump angry,” said James A. Lewis, a senior advisor in economic security and technology at the Center for Strategic and International Studies. “They will look for something splashy to do politically but won’t do anything disruptive. It’s too dangerous.”
Intelligence officials have accused Iran of seeking to influence U.S. elections through the longstanding use of cyber operations. Three federal agencies in August said the Iranian government tried to interfere in last year’s presidential election.
The intelligence community “is confident that the Iranians have through social engineering and other efforts sought access to individuals with direct access to the presidential campaigns of both political parties, ” the Office of the Director of National Intelligence said in an announcement with the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency or CISA.
Potential targets are everywhere
Even with the U.S.’s sophisticated cybersecurity, there’s reason for concern, Dahbura said.
“We have such a large attack surface,” he said. “We have so many systems, companies and organizations, large and small, with different degrees of cyber awareness and hygiene. There are plenty of targets, unfortunately, in the U.S.”
As a small state with a comparatively larger digital footprint, Maryland “has more exposure, which potentially puts us at a greater risk” of a cyberattack, said Harry, now director of the Center for Governance of Technology and Systems at the University of Maryland, College Park.
The state has military installations, a port and other critical infrastructure that could be targeted for attack, Harry said. But it also has access to sophisticated resources, such as the NSA, located at Fort George G. Meade with the military’s U.S. Cyber Command, that it could tap to stop the attack.
One potential vulnerability in the state is its local government systems, according to recently published research by Harry and colleagues.
Maryland’s percentage of counties that are vulnerable to certain cyberattack scenarios, such as a DNS misconfiguration or illicit access to government databases, are higher than many other states, according to the research.
Harry said if Iran “wanted to do something bad,” it wouldn’t necessarily focus solely on federal systems but perhaps also seek to attack or gain access to county- or state-level operations. While attacking, say, a county’s water billing system may not serve Iran’s purposes, he said, that could be used as an entry point to “swim” toward other parts of the infrastructure.
“It could be a pathway to something more disruptive,” Harry said.
A series of warnings
On Sunday, U.S. Homeland Security issued a “terrorism advisory” for the next three months, warning of threats.
“Low-level cyberattacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against US networks,” the bulletin said. “Both hacktivists and Iranian government-affiliated actors routinely target poorly secured US networks and Internet-connected devices for disruptive cyberattacks.”
Another warning popped up Sunday on LinkedIn from a former CISA Director Jen Easterly. She noted Iran’s track record of retaliatory digital operations targeting water systems, financial institutions, energy pipelines and government networks. It’s unknown, she said, whether capabilities were damaged by recent Israeli strikes.
“In cyberspace, proximity doesn’t matter—intent, capability, and access do,” Easterly posted. “And Iran checks all three boxes.”
Iran’s capabilities are not as sophisticated as those in a country such as China, and thus its attacks are “more opportunistic and less strategic,” said Brandon Wales, a former CISA executive director.
Wales, now vice president of cybersecurity strategy for the security company SentinelOne, said Iranian actors would look for places with visible vulnerabilities “that they can easily exploit.
“Often these will be the same types of targets that will be at risk from criminal organizations that launch ransomware campaigns, for example,” Wales said. “And Maryland has some historic experience with that, with the ransomware attack against Baltimore.”
Wales cautioned against speculation, though, that Iran is plotting a cyberattack against the U.S. now, given the current ceasefire.
“I would draw a distinction between, do I think that there’s going to be an immediate attack in retaliation for the U.S. strikes on Iranian nuclear facilities right now, given everything that’s happened? No,” Wales said.
“Do I think that over the longer term, over the next year plus, might Iran be more willing to operate against the United States in cyber, might it be more willing to target things inside the United States, knowing that they suffered at the hands of Israel and the United States in the current conflict?” he asked. “That’s always something we need to watch out for.”
Since 2020, law enforcement officials in the U.S. have stopped multiple, potentially deadly Iranian-backed plots in the U.S., Sunday’s Homeland Security bulletin said. It said foreign terrorist groups, such as HAMAS, Lebanese Hizballah, the Houthis and the Popular Front for the Liberation of Palestine, called for violence against U.S. assets and personnel in the Middle East after Israel l’s attack.
Analysts said bad actors in the cybersecurity arena look for the softest targets with maximum impact, scanning the Internet for targets.
“The most likely scenario if Iran chooses to send us a message is that they’ll attack something that we all use,” Dahbura said. “We as Americans are used to feeling safe.”
By sabotaging a water system, power grid, transportation network or food supply, hackers seek to grab attention, disrupt daily life and shatter a sense of safety.
In late 2023, after the Oct. 7 attack on Israel, Cyber Av3ngers, a group linked to Iran’s Islamic Revolutionary Guard Corps hacked into U.S. water plants using Israeli-made equipment. While it failed to disrupt supplies, the breach prompted CISA to urge plants to boost security, with steps such as upgrading software, replacing passwords, strengthening multifactor authentication and improving network intrusion detection systems.
The risk of Iran launching retaliatory cyber attacks against the U.S. could increase over time, analysts said.
“That’s always something we need to watch out for,” Wales said. “We need to make sure that we’re prepared for both public and private sector entities across the country.”
Both governmental and non-governmental systems should take steps toward security, Wales said.
“Now is the time for preparedness, not panic about the threat that they pose,” Wales said. “Ultimately, the responsibility for the security of any network is its owner — that school, that hospital, that bank, that oil facility, that state government. There are things that they have to do to make sure that their networks are secure.”
Have a news tip? Contact Lorraine Mirabella at lmirabella@baltsun.com or (410) 332-6672 and Jean Marbella at jmarbella@baltsun.com, 410-332-6060 or @jeanmarbella.bsky.social.